Jump to content

Deciphering encoded spam ? Help?


showker

Recommended Posts

I would sincerely appreciate it if someone could reply with a link

to an online chart that shows the ASCII equivalents for email

encoded with "equal" characters. ("=")

Quite often the "=" in URLs is "=3D" and periods "=2F"

But I haven't been able to find a chart anywhere that will show

me the other characters. What is that called?

SAMPLE:

> =C3=CE=D1=D3=C4=C0=D0=D1=D2=C2=C5=CD=CD=CE=C3=CE

> =C7=C0=CA=C0=C7=C0<BR>=CF=F0=E0=EA=F2=E8=F7=E5=F1=EA=E8=E5

> =E7=ED=E0=ED=E8=FF<BR>=CE=F2=E2=E5=F2=FB =ED=E0 =E2=F1=E5

> =C2=E0=F8=E8 =E2=EE=EF=F0=EE=F1=FB<BR>

> =C2 =EA=E0=F7=E5=F1=F2=E2=E5 =F0=E0=E7=E4=E0=F2=EE=F7=ED=EE=E3=EE

> =EC=E0=F2=E5=F0=E8=E0=EB=E0 -

> =E0=E2=F2=EE=F0=F1=EA=E8=E5 =F0=E0=E7=F0=E0=E1=EE=F2=EA=E8

> <BR>

END SAMPLE.

Can someone explain ???

Thanks

Fred

Link to comment
Share on other sites

But I haven't been able to find a chart anywhere that will show

me the other characters. What is that called?

It is called MIME quoted-printable encoding. It is often used in mail bodies to represent text in non-ASCII character sets. To encode a byte value, QP uses the "=" followed by the hex value of the byte. As you note, "=3D" is the encoding for the "=" itself. Because most of the byte values in your quote are abvove 0x7f (decimal 127), they are not ASCII and therefore probably in some foreign character set, so using an ASCII chart won't be helpful.

If you want to convert this to something that you can read, you would have to find out first what character set it is composed in. This is usually specified in the "charset=" MIME statement in the packet.

The best thing to do with this might be to view the raw packet in a web browser (e.g., using the preview link of a SpamCop page), and then force the browser to use the character set specified in the "charset" field; this should decode the QP and also supply the correct glyphs (characters) for the display.

I have some further information on my website at http://www.rickconner.net/spamweb/pop-expose-body.html.

Hope this is helpful,

-- rick

On edit: I left a step out of the process described above, so I'm striking it out. In fact, you will first need to use some sort of tool to convert the "=nn" to the corresponding byte values. I have one that I use on my local computer, but it is hard to find one online. There is http://www.toastedspam.com/decodeqp, but I am not convinced that it works well with eight-bit characters (i.e., foreign character sets). There are others that you can download and run on your computer locally, try a google for "quoted printable decoder." Once you have the byte values (which may look like "text salad" to you), you can then put them in a plain text file and display them in your web browser, forcing the browser to use the character set in the "charset" tag.

The resulting message will almost certainly be in a foreign language (Russian, Chinese, etc.) so you won't get much out of it unless you can read these languages. You can get crude translations from Google etc.

Link to comment
Share on other sites

The example is heavily modified - Rick's approach is the way to go but cleaning it up (Wordpad and global replaces) to

C3CED1D3C4C0D0D1D2C2C5CDCDCEC3CEC7C0CAC0C7C0

CFF0E0EAF2E8F7E5F1EAE8E5E7EDE0EDE8FF

CEF2E2E5F2FB EDE0 E2F1E5C2E0F8E8 E2EEEFF0EEF1FB

C2EAE0F7E5F1F2E2E5F0E0E7E4E0F2EEF7EDEEE3EE

ECE0F2E5F0E8E0EBE0

E0E2F2EEF0F1EAE8E5F0E0E7F0E0E1EEF2EAE8

and feeding that through Sweet Sixteen gives

ÃÎÑÓÄÀÐÑÒÂÅÍÍÎÃÎÇÀÊÀÇÀÏðàêòè÷åñêèåçíàíèÿÎòâåòûíàâñåÂàøèâîïðîñûÂêà÷åñòâåðàçäàòî÷íîãîìàòåðèàëààâòîðñêèåðàçðàáîòêè

which is representative of nothing I recognize offhand - maybe a table, something to do with a character set as Rick suggests.

Link to comment
Share on other sites

nothing I recognize offhand - maybe a table, something to do with a character set as Rick suggests.
I tried a couple of cyrillic sets, as these are the ones that turn up most often in my spam. No luck. Maybe Chinese, but I couldn't tell if it worked or not. Perhaps showker can share a tracking link on this message so we can get a better look at the MIME info.

-- rick

Link to comment
Share on other sites

I would sincerely appreciate it if someone could reply with a link

to an online chart that shows the ASCII equivalents for email

encoded with "equal" characters. ("=")

Quite often the "=" in URLs is "=3D" and periods "=2F"

If you just want to decode it into whatever 8 bit code it was originally then it's one of the the things that WinZip can do.

I did a 'Save As' from my email client,

Then rename extension from .eml to .uue, which made it 'owned' by Winzip.

Then click on it which make Winzip offer to extract it to a folder you choose as "0001.txt".

HTH

Link to comment
Share on other sites

I did a 'Save As' from my email client,

Then rename extension from .eml to .uue, which made it 'owned' by Winzip.

Then click on it which make Winzip offer to extract it to a folder you choose as "0001.txt".

Thanks, Michaelanglo. I had overlooked this previously.

I normally use this technique for saving the MIME attachments (pictures usually) from spams detained by SpamCop, but I tried it out on a Russian spam and it does convert the QP encoding in the body back to normal bytes. If the character set isn't properly identified in the MIME header, you may still have to force it to Cyrillic (or whatever) using the encoding menu of your browser or editor.

What I usually do is to save the raw packet from my browser or mail program to a file using a .MIME extension (e.g., "spam.mime") and then double-click it. The built-in decoder in Mac OS X opens this automatically on my home machine, while the Windows version of Stuffit will open it on my work machine. You can also decode the spam using WinZip according to the method you describe.

-- rick

Link to comment
Share on other sites

...Is there ANYONE who can read the spam directly in their browser?
Hard to tell - I don't usually "read" it, except as "page source" for the purpose of copying and pasting to report (and it then transforms to that hex mush) but I'm reasonably sure the mail client view would show the Cyrillic if I opened one, Mozilla or Outlook. I get real mail with Cyrillic parts and it is no problem to view.
Link to comment
Share on other sites

Is there ANYONE who can read the spam directly

in their browser?

Yes, millions of people in Russia (or China, or Korea, or Japan, etc.). All modern browsers & mail programs will decode QP and render it in the indicated character set using an appropriate font as Cyrillic text (or Han or Hangul or Kanji or whatever). If the message made it to your browser or mail program, you too would be able to read it (if you could read these languages).

In this case, you are receiving the spam but you are probably not part of the intended audience.

spam has become practically a conventional advertising medium in Russia, and many Russians spam indiscriminately for mundane products like kitchen appliances, business training seminars, home improvement services, and the like. Inevitably these spams leak ouside the spammer’s target market in a form of "overspray" (by analogy with "blowback").

I have some more info at my website: http://www.rickconner.net/spamweb/spam_russian.html

-- rick

Link to comment
Share on other sites

Okay. I use Spamcop's web based email interface, so it's all

geek in that program. I use the web based interface because

I simply don't want to bring it down to my computer.

Rick,

You seem to be very knowledgable about all this. I really enjoy

your web site and have referenced several items in my Delicious

page.

Let me ask yet a further question:

Would it be illegal for an entity to offer an award for "Proof of Concept"

of a botnet that would counter spam IPs and botnets? Seems if it

works one way -- it should surely work the other way too.

What do you suppose the reaction would be if someone put up

--say-- $100,000.00 -- to the first programmer who could

successfully accomplish and sustain that?

Or, do you think anyone capable of such a feat is already hired out

by the criminals, making much more, and not interested?

Thanks in advance

:ph34r:

Link to comment
Share on other sites

You seem to be very knowledgable about all this. I really enjoy

your web site and have referenced several items in my Delicious

page.

Thanks!

Would it be illegal for an entity to offer an award for "Proof of Concept"

of a botnet that would counter spam IPs and botnets? Seems if it

works one way -- it should surely work the other way too.

Probably it would not be illegal to make such an offer, but those trying to compete for the prize might be led down some shady paths. You seem to have chosen your weapon (i.e., a "white-hat botnet") before examining your target(s); what would you want this botnet to do? Also, the term "botnet" carries a connotation of deliberate, stealthy subversion of computers without the knowledge or consent of those computers' owners. This is clearly against U.S. law, at any rate. It would also be trading abuse for abuse, something that I personally would not favor.

The bigger question, however, is whether we could expect a single solution to deal effectively with the sort of diffuse, distributed problem that spam represents. I must invoke my fellow Marylander, H.L. Mencken, who observed that there is a simple solution to every problem -- and it is usually wrong. In my experience, it does not take long for spammers to subvert or evade any blocks that are put in front of them.

You may recall the Blue Frog incident. Myself, I thought that Blue Frog was morally defensible (i.e., it was sending "remove messages" that had been explicitly solicited by the spammers) even though if you read through the lines you might have concluded that Blue Frog was trying to DOS-attack the spammers. Nevertheless, Blue Frog was smashed utterly by a sustained DOS-attack apparently from one of the Russian pharma spammers. I don't think that Blue Frog ever posed much of a problem for spammers when it was operating, and certainly poses no problem at all for them right now.

-- rick

Link to comment
Share on other sites

...spam has become practically a conventional advertising medium in Russia, and many Russians spam indiscriminately for mundane products like kitchen appliances, business training seminars, home improvement services, and the like. Inevitably these spams leak ouside the spammer’s target market in a form of "overspray" (by analogy with "blowback").

I have some more info at my website: http://www.rickconner.net/spamweb/spam_russian.html

And, considering the recent rash of "Help, I'm being blackmailed" posts, it seems a blossoming trade in dodgy lists has ensued with a few of the new entrepreneurs taking that extra step - maybe using spam runs as proof of concept to ensure hits on SC reporters.

Just checked out a couple of my recent Cyrillic spams - yes they are perfectly readable to anyone who wants to read spam and yes they are perfectly prosaic and totally mis-directed. Wanting to lease commercial properties in need of rennovation, that sort of thing - telephone contacts given.

Link to comment
Share on other sites

(...) it seems a blossoming trade in dodgy lists has ensued with a few of the new entrepreneurs taking that extra step - maybe using spam runs as proof of concept to ensure hits on SC reporters.
Making protection money by threatening to turn people in to SpamCop...my hat is off to this gent! Then again, I don't usually wear a hat anyway, so this is no big deal.

The glass-half-full observation is that being tarred by SpamCop is something that people actually fear...I have this mental picture of all the SC reporters as a pit of rabid curs, with the Simon Legree scammer here suspending the prospective victim over the pit by a slender cord, machete in hand.

-- rick

Link to comment
Share on other sites

... Making protection money by threatening to turn people in to SpamCop...my hat is off to this gent! Then again, I don't usually wear a hat anyway, so this is no big deal. ...
Heh, a self-proclaimed white knight, a disgruntled player or just a clueless little thug trying to make money out of the competitors he can't outperform, who knows? Fortunately for him it probably doesn't matter, the heavy mob are unlikely to mistake him for a real threat. Of course they might just take exception to the impudence ...
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...